Threat Alert: Vulnerabilities in the OpenPrinting Common Unix Printing System
New security vulnerabilities in the OpenPrinting Common Unix Printing System (CUPS) on Linux systems could allow remote command execution under certain conditions. An unauthenticated remote attacker can replace existing printers' IPP URLs silently or install new ones. This can lead to arbitrary command execution on the computer when a print job is started.
CUPS is a standards-based, open-source printing system for Linux and other Unix-like operating systems, including ArchLinux, Debian, Fedora, Red Hat Enterprise Linux (RHEL), ChromeOS, FreeBSD, NetBSD, OpenBSD, openSUSE, and SUSE Linux.
The list of vulnerabilities is as follows:
- CVE-2024-47176 - cups-browsed <= 2.0.1 binds on UDP INADDR_ANY:631, trusting any packet from any source to trigger a Get-Printer-Attributes IPP request to an attacker-controlled URL
- CVE-2024-47076 - libcupsfilters <= 2.1b1 cfGetPrinterAttributes5 does not validate or sanitize the IPP attributes returned from an IPP server, providing attacker-controlled data to the rest of the CUPS system
- CVE-2024-47175 - lipped <= 2.1b1 ppdCreatePPDFromIPP2 does not validate or sanitize the IPP attributes when writing them to a temporary PPD file, allowing the injection of attacker-controlled data in the resulting PPD
- CVE-2024-47177 - cups-filters <= 2.0.1 foomatic-rip allows arbitrary command execution via the FoomaticRIPCommandLine PPD parameter
These shortcomings can result in an exploit chain, enabling an attacker to set up a malicious, fake printing device on a network-exposed Linux system using CUPS and execute remote code when a print job is sent.
What Quadrant is doing for our clients: Our team of Threat Analysts and Detection Engineers have updated our detections and will continue monitoring for these threat signatures.
